Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fl0at0xff
New Contributor II

Why SNAT is applied ?

Hello I have a VIP for the server SCMAAS01 (10.128.0.30) where external IP is 10.146.136.30 and internal is 10.128.0.30. This VIP is just used in a policy (id 49) from an IPsec tunnel. (VPN_2_ETA) to internal interface (SERVER) for all protocols. For the other direction, I use an IP_POOL named NAT_SCMAAS01 where external IP range is 10.146.136.30-10.146.136.30 of type One-to-One. This object is only used in the policy (id 48) to internal interface (SERVER) from an IPsec tunnel. (VPN_2_ETA) for all protocols. Now, this server (10.128.0.30) is unable to go to internet. a policy exist to allow the trafic but I saw in the log that SNAT is applied too... In the policy (id 50) to allow this server to go to internet, NAT is configured of course but we don't use the NAT_POOL but the outgoing interface (195.141.249.225). Below the log.

SCMAFW01 # 2018-09-13 11:33:22 id=20085 trace_id=1503 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=6, 10.128.0.30:61013->8.8.8.8:53) from SERVERS. flag , seq 4119206949, ack 0, win 8192"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=init_ip_session_common line=5451 msg="allocate a new session-005aed6c"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-195.141.249.17 via wan1"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=fw_forward_handler line=743 msg="Allowed by Policy-50: SNAT"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=__ip_session_run_tuple line=3190 msg="SNAT 10.128.0.30->10.146.136.30:61013"
Can you help me please ?

1 Solution
rdumitrescu

If you configure a specific external interface and not just “any” you shouldn't have any problem

View solution in original post

8 REPLIES 8
Ashik_Sheik
Contributor II

Hi ,

 

Can u traceroute to internet (8.8.8.8) from the  server and check , may be you have configured policy based route for server .

 

Regds,

 

Ashik

Ashu 

 

Ashu
fl0at0xff

Hello @ashik,

 

no I haven't PBR on this firewall.

 

 

PS C:\Users\Administrator> TRACERT.EXE 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1 <1 ms <1 ms <1 ms 10.128.0.1
  2 * * * Request timed out.
  3 * * * Request timed out.

 

10.128.0.1 is the gateway on the fortigate for this server.

Ashik_Sheik

Looks like you have issues in static route or may policy .

 

Regds,

 

Ashik

Ashu 

 

Ashu
fl0at0xff

no... I have dozen of other servers in the same vlan and all is working fine. This server has a problem because it is the only one that have VIP and specific NAT on it.

rdumitrescu

Have you configured the VIP using external interface as “any” ?
fl0at0xff

yes and I guess I found my problem: When using vip without Port Forwarding enabled, the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

 

I need to specify port-forwarding first and probably the interface or the sources IP

rdumitrescu

If you configure a specific external interface and not just “any” you shouldn't have any problem
Ashik_Sheik

VIP Setting is mainly applied for incoming traffic to server not to out going , so it shouldn't be a problem i believe .

 

Just check policy or routing .Or you might have any persistence route in the server , check using route print .

 

Regds,

 

Ashik

Ashu 

 

Ashu
Labels
Top Kudoed Authors